#web

## Summary An **open redirect vulnerability** has been identified in the **verify email endpoint** of Better Auth, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library. ## Affected Versions - All versions prior to **v1.1.6**. ## Impact Attackers could craft malicious email verification links that exploit the redirect functionality to send users to untrusted domains. This can result in: - **Phishing attacks** – Users may unknowingly enter sensitive information on fake login pages. - **Reputation damage** – Trust issues for applications using Better Auth. ## Vulnerability Details The verify email callback endpoint accepts a `callbackURL` parameter. Unlike other verification methods, email verification only uses JWT to verify and redirect without proper validation of the target domain. The origin checker is bypassed in this scenario because it only checks for `POST` requests. An at...

TeamPass before 3.1.3.1, when retrieving information about access rights for a folder, does not properly check whether a folder is in a user's allowed folders list that has been defined by an admin.

TeamPass before 3.1.3.1 does not properly check whether a mail_me (aka action_mail) operation is on behalf of an administrator or manager.

TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id.

The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated shell command execution vulnerability through the deployStart.php script. This allows any user to trigger the execution of 'rundeploy.sh' script, which initializes the Java deployment server that sets various configurations, potentially causing unauthorized server initialization and performance issues.

Palo Alto, Calif., USA, 30th December 2024, CyberNewsWire

The ABB Cylon controller suffers from an authenticated path traversal vulnerability. This can be exploited through the 'devName' POST parameter in the ethernetUpdate.php script to write partially controlled content, such as IP address values, into arbitrary file paths, potentially leading to configuration tampering and system compromise including denial of service scenario through ethernet configuration backup file overwrite.

Proactive defenses, cross-sector collaboration, and resilience are key to combating increasingly sophisticated threats.

KrebsOnSecurity.com turns 15 years old today! Maybe it's indelicate to celebrate the birthday of a cybercrime blog that mostly publishes bad news, but happily many of 2024's most engrossing security stories were about bad things happening to bad guys. It's also an occasion to note that despite my publishing fewer stories than ever this past year, we somehow managed to attract near record levels of readership (thank you!).

IN THIS ARTICLE, YOU WILL LEARN: NFT-focused news website NFTEvening and the NFT market’s data and analytics-based platform…